CVE-2025-70091: Open Source Point Of Sale XSS Vulnerability

CVE-2025-70091 Overview

A cross-site scripting (XSS) vulnerability has been identified in the Customers function of OpenSourcePOS v3.4.1. This flaw allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the Phone Number parameter. OpenSourcePOS is a popular open-source point-of-sale application used by small and medium businesses for retail operations, making this vulnerability particularly concerning for organizations handling customer data.

Critical Impact

Successful exploitation enables attackers to execute malicious scripts in the context of authenticated users, potentially leading to session hijacking, credential theft, customer data exposure, and unauthorized actions within the point-of-sale system.

Affected Products

• OpenSourcePOS Open Source Point of Sale version 3.4.1
• Customers function / Phone Number parameter input field
• Web-based administrative interface

Discovery Timeline

• 2026-02-13 - CVE-2025-70091 published to NVD
• 2026-02-17 - Last updated in NVD database

Technical Details for CVE-2025-70091

Vulnerability Analysis

This stored XSS vulnerability resides in the Customers management function of OpenSourcePOS. The application fails to properly sanitize user-supplied input in the Phone Number parameter before rendering it in the browser. When an attacker submits a malicious JavaScript payload as a phone number value, the script is stored in the database and subsequently executed whenever the customer record is viewed by other users, including administrators.

The vulnerability requires low privileges to exploit, meaning an attacker needs some level of authenticated access to the system to inject the malicious payload. However, the scope is changed (S:C in CVSS terms), indicating that the impact extends beyond the vulnerable component itself—scripts execute in the browser context of other users viewing the poisoned data.

Root Cause

The root cause of this vulnerability is improper input validation and output encoding in the Customers module. The Phone Number parameter accepts arbitrary input without sanitizing potentially dangerous characters such as angle brackets (<, >), quotes, and script tags. When the stored data is retrieved and displayed, it is rendered without proper HTML entity encoding, allowing embedded JavaScript to execute in the victim's browser session.

This represents a classic CWE-79 (Improper Neutralization of Input During Web Page Generation) weakness where the application trusts user-controlled data and fails to implement defense-in-depth measures such as Content Security Policy headers or output encoding.

Attack Vector

The attack is network-based and requires user interaction—a victim must view the poisoned customer record for the malicious script to execute. An attacker with low-level access to the OpenSourcePOS system can navigate to the customer management interface and create or modify a customer entry, inserting JavaScript code into the Phone Number field.

When another user (particularly an administrator or staff member) views this customer record, the injected script executes within their browser session. This enables various attack scenarios including:

• Session Hijacking: Stealing session cookies to impersonate the victim
• Keylogging: Capturing keystrokes entered on the page
• Phishing: Injecting fake login forms to harvest credentials
• Data Exfiltration: Accessing and transmitting sensitive customer or transaction data
• Privilege Escalation: Performing administrative actions using the victim's elevated permissions

The vulnerability exploitation does not require any sophisticated tools—the attacker simply needs to craft a payload such as a script tag containing malicious JavaScript and submit it through the normal customer creation form. For detailed technical information, refer to the CVE-2025-70091 research documentation.

Detection Methods for CVE-2025-70091

Indicators of Compromise

• Unexpected JavaScript code or HTML tags present in customer phone number fields within the database
• Anomalous network requests originating from user browsers to external domains when viewing customer records
• Customer records containing suspicious characters such as <script>, onerror=, onload=, or encoded variants
• Browser console errors or warnings related to Content Security Policy violations when viewing customer data

Detection Strategies

• Implement database queries to scan customer records for script tags, event handlers, and common XSS payload patterns in the Phone Number field
• Deploy Web Application Firewall (WAF) rules to detect and block XSS patterns in form submissions to the customer management endpoints
• Enable browser-side Content Security Policy reporting to capture violation attempts that may indicate exploitation
• Configure SentinelOne Singularity Platform to monitor for suspicious web browser behavior and script injection attempts on endpoints accessing OpenSourcePOS

Monitoring Recommendations

• Review application logs for unusual POST requests to customer creation or modification endpoints containing special characters
• Establish baseline behavior for the Customers module and alert on deviations such as unusually long phone number values
• Monitor for outbound connections from client browsers to unknown external domains during OpenSourcePOS sessions
• Implement real-time alerting for any database changes to customer records that include HTML or JavaScript syntax

How to Mitigate CVE-2025-70091

Immediate Actions Required

• Audit all existing customer records in the OpenSourcePOS database for malicious scripts in the Phone Number field and sanitize any compromised entries
• Implement server-side input validation to restrict the Phone Number field to numeric characters, spaces, and common phone number symbols only
• Apply output encoding (HTML entity encoding) to all user-supplied data before rendering it in the browser
• Deploy a Web Application Firewall with XSS filtering rules as an additional layer of defense

Patch Information

At the time of publication, users should monitor the OpenSourcePOS official website for security updates and patch releases addressing this vulnerability. Review the vulnerability research documentation for additional technical details and any interim guidance from the researcher.

Workarounds

• Restrict access to customer management functions to only trusted personnel until a patch is available
• Implement a Content Security Policy (CSP) header that prevents inline script execution and restricts script sources
• Deploy input validation at the web server or reverse proxy level to reject requests containing script tags or event handlers
• Consider temporarily making the Phone Number field read-only or removing it from customer-facing forms if not essential to operations

# Example: Apache Content Security Policy configuration
# Add to .htaccess or virtual host configuration
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';"

# Example: Nginx Content Security Policy configuration
# Add to server block
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';" always;